Internal Comms And Compliance – What Should, Or Shouldn’t, You Retain?

worm's eye-view photography of ceiling

Data compliance is one of the trickiest areas to handle as a business owner or information practitioner. This is of a particular issue in the UK; ITPro highlights the fact that the UK is the 2nd most fined country when it comes to GDPR breaches alone, although it also noted that regulators are particularly slow at collecting. Reputationally, however, these fines can be damaging to customer and partner confidence, and a place where slipups frequently occur is internal comms. Ensuring that you collect the right data, and only retain what is necessary, is important to the growth and security of your business.

What to keep

One of the key areas of GDPR compliance concerns MIFID ii article 16 7. This mandates that businesses must keep a 7-year record of any communications pertaining to a sale, whether that sale is completed or not. That includes telephone communications. It’s important, however, that you only retain communications within this field. highlights the huge fine handed down to lifestyle service Bounty for poor privacy practices, including retaining unnecessary client data from customer service operations. Ensure that the data you collect on sales pertains only to the relevant matters and does not ‘fish-net’ in other private client details – yours, or business partners.

What to destroy

The clearest defining line between what you should and shouldn’t collect is shown, according to web mag IT Governance, in the personal v sensitive question. Personal data is simple – name, address, IP, locational data, and so on – but still protected. Do you need to collect these information points within your internal data policy? Sensitive data concerns protected demographic data – for instance, age, religion, sexuality, political opinions, membership of unions and so on. There are some legitimate uses for this data, but it must be kept clearly sequestered from personal data and never be used in the process of marketing outside of the business. When it comes to internal communications, they must never be used without the express consent of employees, and not collected unless express consent has been given, either.

What you should provide

The ICO provides an in-depth analysis of data that you must provide when working internally or with other businesses. That obviously includes the name of the organisation, but factors such as the name of the individual representative are not always required. The main point is establishing what factors you do need to share and retain; data protection is not just about incoming data, but about what you provide, too. You can inadvertently pass on protected information or data that was not yours to share with a loose data sharing policy. Being fully aware of the ICOs priorities and how that translates to your own work is the important factor.

Whether collected properly or not, GDPR fines are a reflection of poor data security culture and have a huge impact on your reputation. Making sure that you only collect the data you need shows fairness to yourself, to regulators, and most importantly, to customers.

Back to top button